Monday, April 06, 2009

Why do large companies like helping phishers?

It was stupid bank behaviour that compelled me to start blogging a few years ago. I've also noted the questionable ways which banks in general deal with customers from a security standpoint (although my bank's recently cleaned up its act somewhat).

Its not just the banks that help to facilitate phishing scams with their antiquated, unsafe processes when dealing with customers. Almost every large institution that holds personal data does at least one thing in an unsafe, insecure way. And almost every organisation that has a call centre forces us to divulge personal (and often account security) details to the person we speak to on the phone before they are "allowed" to access our account. This is not particularly safe either as the person on the other end of the line could very well take down the details and use them later (aka the most common argument against offshoring call centres). But there is a certain level of trust because most of the time, we call a number that we have used in the past and know with 99% certainty belongs to the organisation we mean to be dealing with. It's also the way the process works and we have learned to live with it despite the flaws.

A large amount of the blame here lies in the imbalance when dealing with personal information and the organisations we provide them to in return for a service. Companies have way too much power (and consumers little or no control) when it comes to our information, but I'm going off-topic here as I don't mean to be talking about Vendor Relationship Management (VRM). Back to the topic at hand...

I recently contacted my mobile service provider (from here on in, known as "Stupid Phone Company (SPC)") to change something about my account. First of all, the IVR system made me authenticate myself before patching me through to the warm body at the other end of the line who then proceeded to ask me exactly the same questions I had just provided to the system. I wasn't in the mood to rant at the person as they weren't to blame. They were simply doing their job. Process fail number 1: Why bother having the IVR system waste my time and authenticate me when the fool at the other end of the line is going to ask me the same thing again SPC?

In any case, the person couldn't help me. They said I had to notify the company in writing either via snail mail (what decade are we in SPC?) or via a form on their website. I took the online form option and didn't hear back for a few days.

Today, I received this in my inbox:

"Hi Ian,

Hope you are doing fine.

I’d like to help you Ian, however; for this I will need to access your account and currently I am unable to access your account due to security reasons.

In order for me to access your account and check the details on your account, please confirm the security details given below:

PIN (1st and 2nd digit)OrFull address with postcodeDate of birthMethod of payment

I assure you I'll be able to sort this out as soon as I receive this information.

I look forward to your response.

Kind regards,(Name redacted)"

At this point, the only form of assurance I had that this came from a legitimate source was the "from" address in the email header. This however, isn't exactly difficult to fake (as my first year University lecturer demonstrated to us in ohhh, week 1 of "Computing101"). In other words, I have no assurance that it's from SPC. In fact, it even reads like a phishing email.

Being the paranoid security person that I am, I picked the phone up and called customer service to validate that they had indeed sent me an email and to double-check the email address I had to send the reply to. After questioning the poor customer service person and eventually getting them to agree that this process is ridiculous and insecure, they still insisted they could not get around the process and that this was the only way of getting my issue resolved because my request could not be met over the phone.

So it seems that this is the standard procedure when one fills in an online form with this company. In which case, they are exposing their customers to a security nightmare by building phishing-like behaviour into a standard procedure that all their customers will probably need to use at some point. Did you hear that SPC? Your BAU process is the same as the one phishers use!

I've actually visited this company in a professional capacity (in one of my previous jobs) and can confirm they do indeed have a security procedures and operations department. In other words, "we don't pay people to think about these things" is not a viable excuse. Someone there needs to be fired (and it's not the customer service department).